Posted by Scott on 03/10/06 01:58

Thanks for the feedback guys. I know not to rely on HTTP_REFERER. I
think the plan is to use a combination of the method I described
earlier, along with filtering the input with regular expressions to
ensure I'm only getting valid data.

This is for a contact form, so if you can think of any more obvious
holes I need to watch for, let me know.

Thanks again!

Scott

Scott wrote:
> I've been trying to come up with a way to ensure user input is coming
> from the form on my site, and not auto-submitted from elsewhere, and I
> don't want to use the "enter the code shown in the image" method. I know
> the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
> doing something similar to this:
>
> <?php
> session_start();
> $code = mt_rand(0,1000000);
> $_SESSION['code'] = $code;
> ?>
>
> Then in my form have:
> <input type="hidden" name="originator" value="<?=$code?>">
>
> On the page receiving the form:
>
> <?php
> session_start();
> if(isset($_POST['originator'])) {
> if($_POST['originator'] == $_SESSION['code']) {
> // process the form
> }
> }
> ?>
>
> I'm looking for feedback on this method. Do you think this is an
> effective way to ensure the input you're receiving is indeed from your
> form? Obviously, the random code key will be visible to the client, but
> without the matching session variable, it will be useless.
>
> Your thoughts?
>
> Scott

[Back to original message]